Re: New kind of messages, blew right through my Trashfinder !

[David West]

But the Pass Filter is so useful!  It saves me a lot of time not having to relay hundreds of valid messages each day which would be  trapped for other reasons. As you say, Randy, "From" addresses are easy to fake; but what about the originator's IP address? Could Trashfinder do an MX lookup on the domain part of the "From" address and then compare it with the actual originator's IP address? This would only be necessary for "Pass" addresses. Another thought; how about changing the way in which the filters are applied? I presume that the "Pass" filter comes first, and any mail successfully negotiating that hurdle bypasses all other filters.  The real problem is the  "extensions" filter (.exe etc). All mail containing banned attachments should have to go throught this filter, including "Pass List" sources, and subjected to human checking before passing on to the end recipient. Lastly.  Why do some emails still get trashed, even when the from address is in the "pass list"?   Your message below is an example. The header shows the following: From - Fri Jan 16 09:21:02 2004 X-UIDL: B0000275220.MSG X-Mozilla-Status: 0011 X-Mozilla-Status2: 00000000 Received: from rockpub3.rockliffe.com (rockpub3.rockliffe.com [147.208.128.12]) by web-server.johnruskin.ac.uk (SMTPRCV 0.48) with SMTP id <[EMAIL PROTECTED]>; Thu, 15 Jan 2004 18:29:09 0000 X-Spam-Score: 3 Received: from 192.168.1.99 (ip-64-32-209-38.dsl.chi.megapath.net [64.32.209.38]) by rockliffe.com (Rockliffe SMTPRA 6.0.9) with SMTP id <[EMAIL PROTECTED]> for <imsusers@rockliffe.com>; Thu, 15 Jan 2004 10:28:56 -0800 Received: from bigboynt (unverified [192.168.4.6]) by server.rrsoftware.com (EMWAC SMTPRS 0.83) with SMTP id <[EMAIL PROTECTED]>; Thu, 15 Jan 2004 12:19:56 -0600 From: "Randy Brukardt" <[EMAIL PROTECTED]> To: <imsusers@rockliffe.com> Subject: RE: New kind of messages, blew right through my Trashfinder ! Date: Thu, 15 Jan 2004 12:15:40 -0600 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_002C_01C3DB61.4A6A58A0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal In-Reply-To: <[EMAIL PROTECTED]> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 X-Antirelay: Good relay from local net2 192.168.4.1/25 X-Trash-Finder: Message trashed, HTML automatic server access detected (background) Reply-To: imsusers@rockliffe.com Sender: [EMAIL PROTECTED] X-Trash-Finder: Message trashed, HTML automatic server access detected (background) I have rrsoftware.com in my pass list. Do I need to add rockliffe.com as well?  Most messages from imsusers get through without any problems. I am also a bit perplexed by the reason for trashing the message: HTML automatic server access detected (background)  Where is that in the message? David Randy Brukardt wrote: Essentially, you have Trash Finder set up to pass these messages. (Note the "X-Trashfinder: Message Passed..." line in the header. If a spammer figures that out, they'll take advantage of it.   This is the reason that I don't recommend using the "Pass" filter in Trash Finder: "From" addresses are easy to fake. I've seen mail "from" our servers, too.   I use the "No Delete" filter to insure that outgoing mail doesn't get deleted, but it might be filtered and delayed if there is something weird in it. That's life.                       Randy. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Martoccio Sent: Thursday, January 15, 2004 5:57 AM To: imsusers@rockliffe.com Subject: New kind of messages, blew right through my Trashfinder ! Good Morning,       Last night, I received a disturbing response from one of my clients, that a message that appeared to be sending from them, to them, had appeared in their inbox !   Here is the header from that message: Received: from computer (adsl-68-77-83-169.dsl.ipltin.ameritech.net [68.77.83.169]) by ntserver.fastad.com  (SMTPRCV 0.48) with SMTP id <[EMAIL PROTECTED]>;  Wed, 14 Jan 2004 06:10:55 -0600 Message-ID: <[EMAIL PROTECTED]> From: "" <[EMAIL PROTECTED]> Reply-To: "" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] CC: ,[EMAIL PROTECTED],[EMAIL PROTECTED] Subject: RE:Beware of cheap ripoffs Content-Type: text/html;charset="iso-8859-1" Date: Wed, 14 Jan 2004 06:08:01 -0600 X-Mailer: (9.0.2910.0) X-Trash-Finder: Message passed, "@fastad.com" found in Return-path in RCP   According to my wife that works for a large enterprise, she has been in contact with Microsoft on this issue with their exchange server putting these right through, and she has supposedly has seen hundreds of these.  This was the first one that I had seen where it blew right past everything, so I want to put it out there for examination.   Sincerely, John Martoccio Intelligent Solutions (a computer VAR) Fox Lake, IL, USA [EMAIL PROTECTED]